Cloud Network Security Architecture
Design secure network architectures in cloud environments. Covers VPC design, security groups, NACLs, private endpoints, transit gateways, and the patterns that create defense-in-depth network security without sacrificing developer velocity.
Cloud networking security differs fundamentally from on-premises. There are no physical firewalls to rack — but there are dozens of software-defined controls that, when layered correctly, create defense-in-depth without slowing down development. The challenge is designing a network architecture that is both secure by default and self-service for developers.
VPC Design
Multi-Account VPC Architecture:
Account: Production
┌──────────────────────────────────────────────┐
│ VPC: 10.1.0.0/16 │
│ │
│ ┌──────────────────┐ ┌──────────────────┐ │
│ │ Public Subnets │ │ Private Subnets │ │
│ │ 10.1.0.0/20 │ │ 10.1.16.0/20 │ │
│ │ │ │ │ │
│ │ ALB/NLB │ │ Application │ │
│ │ NAT Gateway │ │ servers │ │
│ │ Bastion (if any) │ │ No public IP │ │
│ └──────────────────┘ └──────────────────┘ │
│ │
│ ┌──────────────────┐ ┌──────────────────┐ │
│ │ Data Subnets │ │ Management │ │
│ │ 10.1.32.0/20 │ │ 10.1.48.0/20 │ │
│ │ │ │ │ │
│ │ RDS, ElastiCache │ │ Monitoring │ │
│ │ No internet │ │ Logging │ │
│ │ VPC endpoints │ │ CI/CD agents │ │
│ └──────────────────┘ └──────────────────┘ │
│ │
│ Transit Gateway → connects to other VPCs │
└──────────────────────────────────────────────┘
Rules:
☐ Data subnets: No internet access (no NAT, no IGW)
☐ Private subnets: NAT gateway for outbound only
☐ Public subnets: Only load balancers and NAT
☐ Each tier in its own subnet with its own security group
☐ VPC Flow Logs enabled on all subnetsSecurity Group Design
Principle: Least privilege, application-aware
# Web tier security group
web-sg:
inbound:
- port: 443, source: 0.0.0.0/0 (HTTPS from internet)
- port: 80, source: 0.0.0.0/0 (HTTP → redirect only)
outbound:
- port: 8080, destination: app-sg (to application tier only)
# Application tier security group
app-sg:
inbound:
- port: 8080, source: web-sg (from web tier only)
- port: 8080, source: internal-sg (from internal services)
outbound:
- port: 5432, destination: db-sg (to database only)
- port: 6379, destination: cache-sg (to cache only)
- port: 443, destination: 0.0.0.0/0 (HTTPS to external APIs)
# Database tier security group
db-sg:
inbound:
- port: 5432, source: app-sg (from app tier only)
outbound:
- none (database does not initiate connections)
Key rules:
☐ NEVER use 0.0.0.0/0 for inbound except public endpoints
☐ Reference other security groups, not CIDR ranges
☐ Each tier can only talk to the tier directly below it
☐ Database tier has no outbound rules
☐ All changes via IaC, not consoleAnti-Patterns
| Anti-Pattern | Consequence | Fix |
|---|---|---|
| Single security group for all resources | No isolation between tiers | Per-tier security groups with least privilege |
| 0.0.0.0/0 inbound on all ports | Entire infrastructure exposed | Only port 443 public, everything else private |
| No VPC Flow Logs | Cannot detect unauthorized access | Enable flow logs, send to SIEM |
| Direct internet access for databases | Data exfiltration risk | VPC endpoints for AWS services, no public IP |
| Manual security group changes | Drift, inconsistency, no audit trail | IaC-only changes, deny console modifications |
Cloud network security is about layers. Each layer — VPC, subnet, security group, NACL, VPC endpoint — adds a barrier that an attacker must breach. No single layer is perfect, but together they create defense-in-depth that is both secure and auditable.
